RISK ASSESSMENT VIA PARTIAL ORDERS

Marco Benini (Italy) and Sabrina Sicari (Italy)

Received January 27, 2009

Abstract

Although risk assessment is a well-established engineering practice to evaluate the security of a system, the significance of the obtained results is often debated since it depends on the estimates of one or more experts. The core of the debate lies in the metrics the experts use to quantify the importance and the impacts of the system vulnerabilities. This work directly addresses this problem on experts’ metrics by showing a risk assessment method that is invariant with respect to compatible metrics. This result is obtained by abstracting over the individual values and, thus, by developing a method based only on the inner content of the experts’ evaluations.

Keywords and phrases: risk assessment, network security, network vulnerability.